diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-02-17 20:28:12 +0530 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-02-24 16:50:20 +0530 |
| commit | 6fdb17cbbe5dc70d18f50e9d131ab70407976a71 (patch) | |
| tree | 79541d2bab89273fdf0b1d99cee7a3dfe94b0d8b /app/views/admin | |
| parent | f2ed82fa8486875660b80dd061827ac8b86d00b6 (diff) | |
| download | gitlab-ce-6fdb17cbbe5dc70d18f50e9d131ab70407976a71.tar.gz | |
Don't allow deleting a ghost user.
- Add a `destroy_user` ability. This didn't exist before, and was implicit in
other abilities (only admins could access the admin area, so only they could
destroy all users; a user can only access their own account page, and so can
destroy only themselves).
- Grant this ability to admins, and when the current user is trying to destroy
themselves. Disallow destroying ghost users in all cases.
- Modify the `Users::DestroyService` to check this ability. Also check it in
views to decide whether or not to show the "Delete User" button.
- Add a short summary of the Ghost User to the bio.
Diffstat (limited to 'app/views/admin')
| -rw-r--r-- | app/views/admin/users/_user.html.haml | 2 | ||||
| -rw-r--r-- | app/views/admin/users/show.html.haml | 5 |
2 files changed, 5 insertions, 2 deletions
diff --git a/app/views/admin/users/_user.html.haml b/app/views/admin/users/_user.html.haml index 3b5c713ac2d..a756cb7243a 100644 --- a/app/views/admin/users/_user.html.haml +++ b/app/views/admin/users/_user.html.haml @@ -34,7 +34,7 @@ - if user.access_locked? %li = link_to 'Unlock', unlock_admin_user_path(user), method: :put, class: 'btn-grouped btn btn-xs btn-success', data: { confirm: 'Are you sure?' } - - if user.can_be_removed? + - if user.can_be_removed? && can?(current_user, :destroy_user, @user) %li.divider %li = link_to 'Delete User', [:admin, user], data: { confirm: "USER #{user.name} WILL BE REMOVED! All issues, merge requests and groups linked to this user will also be removed! Consider cancelling this deletion and blocking the user instead. Are you sure?" }, diff --git a/app/views/admin/users/show.html.haml b/app/views/admin/users/show.html.haml index 76b1291fe10..840d843f069 100644 --- a/app/views/admin/users/show.html.haml +++ b/app/views/admin/users/show.html.haml @@ -173,7 +173,7 @@ .panel-heading Remove user .panel-body - - if @user.can_be_removed? + - if @user.can_be_removed? && can?(current_user, :destroy_user, @user) %p Deleting a user has the following effects: %ul %li All user content like authored issues, snippets, comments will be removed @@ -189,3 +189,6 @@ %strong= @user.solo_owned_groups.map(&:name).join(', ') %p You must transfer ownership or delete these groups before you can delete this user. + - else + %p + You don't have access to delete this user. |